Understanding sudo vs su - Safe Privilege Escalation in Linux
What You'll Learn
- The key difference between
sudoandsu - Why
sudois the recommended approach for privilege escalation - How to configure
sudoerssafely usingvisudo - Common mistakes and how to avoid them
Quick Summary
- Run one command as root →
sudo command - Start an extended root session (use sparingly) →
sudo -i - Run as another user →
sudo -u username command su -requires the root password — disabled by default on Ubuntu. Usesudo -iinstead.
Prerequisites
- OS: Ubuntu (or other Debian-based distros)
- Your user account is a member of the
sudogroup
What Is the Difference Between sudo and su?
Both sudo (substitute user do) and su (switch user) elevate privileges, but they work differently.
| Aspect | sudo | su |
|---|---|---|
| Authentication | Your own password | Target user's password |
| Root password needed | No | Yes (for su -) |
| Audit logging | /var/log/auth.log |
Minimal |
| Permission control | Per-command via /etc/sudoers |
Full root access |
| Ubuntu default | Available | Blocked (root pw disabled) |
sudo is the preferred tool because it enforces least-privilege access per user without sharing the root password.
How to Use sudo
2-1. Basic Usage — One Command at a Time
$ sudo command
Examples:
$ sudo apt update $ sudo systemctl restart nginx
2-2. Start a Root Login Shell
$ sudo -i
sudo -i launches a root shell that loads root's environment variables and .profile. Use this only when you need to run multiple commands as root.
Always exit the root shell when done. Running as root unnecessarily increases the risk of accidental damage.
2-3. Run as Another User
$ sudo -u username command
Example — run a command as www-data:
$ sudo -u www-data php /var/www/html/artisan cache:clear
2-4. How Long Does sudo Stay Active?
After successful authentication, sudo caches credentials for 15 minutes by default. To invalidate the cache manually:
$ sudo -k
To list your current sudo permissions:
$ sudo -l
How to Use su
3-1. su - for a Login Shell
$ su - [username]
The - flag (equivalent to -l or --login) recreates the target user's full login environment — home directory, environment variables, and PATH.
$ su - deploy # Start a login shell as the deploy user
3-2. su vs su - — What Changes?
$ su username # Warning: inherits YOUR current environment $ su - username # Correct: reproduces the target user's login environment
Using su username without - carries over your current environment variables into the new shell. This often causes PATH confusion and command not found errors in the target user's context.
3-3. Why su Doesn't Work on Ubuntu by Default
Ubuntu disables the root account password by default. Attempting su - to switch to root fails at authentication:
$ su - Password: su: Authentication failure # root password is disabled
Use sudo -i instead for an interactive root shell on Ubuntu.
Why Is sudo Recommended?
The core advantage of sudo over su is its security model.
Every action is logged. Each sudo invocation records who ran what command and when in /var/log/auth.log:
$ sudo grep sudo /var/log/auth.log | tail -3 May 31 10:30:01 host sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/apt update
Least-privilege enforcement. sudoers lets you grant only the commands a user actually needs. An operator can restart a specific service without getting full root access.
No shared root password. Team members authenticate with their own passwords, keeping credentials individual and revocable.
Configuring sudoers with visudo
5-1. Always Use visudo
/etc/sudoers must be edited with visudo. It validates syntax before saving, preventing lockout scenarios where a broken sudoers file makes sudo unusable.
$ sudo visudo
Never edit /etc/sudoers directly with vi or nano. A syntax error disables sudo entirely. On Ubuntu, where root login is disabled by default, recovering from this requires a rescue boot.
5-2. Basic Syntax
# user host=(run-as) command alice ALL=(ALL) ALL # NOPASSWD: skip password prompt for a specific command deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
5-3. Grant Permissions to a Group
# Prefix group names with % %admin ALL=(ALL) ALL %deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl
5-4. Use Drop-In Files (Recommended)
For production environments, avoid editing sudoers directly. Place per-role files under /etc/sudoers.d/ instead:
$ sudo visudo -f /etc/sudoers.d/deploy
Content:
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
Common Mistakes
Setting NOPASSWD for ALL Commands
# Dangerous in production: alice ALL=(ALL) NOPASSWD: ALL
This eliminates all password friction. Acceptable on local dev boxes, but copying this config to a production server is a critical security risk. Restrict to specific commands.
Editing sudoers without visudo
Running vi /etc/sudoers directly and introducing a syntax error disables sudo. Always use visudo — it performs a syntax check before writing the file.
Using su without the - Flag
# Inherits your PATH — likely causes command-not-found errors: $ su deploy # Correct — reproduce deploy's login environment: $ su - deploy
Quick Reference
| Task | Command |
|---|---|
| Run one command as root | sudo command |
| Start a root login shell | sudo -i |
| Run one command as another user | sudo -u user command |
| Open an interactive shell as a user | sudo -u user -i |
| Invalidate sudo credential cache | sudo -k |
| List your current sudo permissions | sudo -l |
| Safely edit sudoers | sudo visudo |
Copy-Paste Templates
# Check what sudo allows you to run sudo -l # Run one command as root sudo apt update # Start a root shell — exit when done sudo -i exit